I added the following lines to my .htacces file:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
But I always got the following error:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
I don't get it. Which Apache module do I have to activate? What's wrong with these lines?
Thx, David
Add those lines into your httpd.conf configuration files, or inside your virtualhost sections, or inside your .htaccess files:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
You may also be interested in adding those headers:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
You have to enable (LoadModule) mod_headers if not already enabled, then restart apache.
I'm not an apache expert, but content security policy is a response header. http://httpd.apache.org/docs/2.2/mod/mod_headers.html
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With